Nice idea is to have two separate machines (physical or virtual) for incoming and internal/outgoing SMTP traffic. That way you can have more restrictions in place for outside messages, more strict spam/attachment control, and less restrictive rules for internal mail (for example you might consider larger message size on internal server).
Using greylisting (for example postgrey) can be an excellent idea, if you don't want to use SpamAssassin. Just put it high on smtpd_recipient_restrictions list, like that:
smtpd_recipient_restrictions =
reject_unauth_pipelining,
permit_mynetworks,
permit_sasl_authenticated,
# checks for known hostnames, addresses, clients
check_policy_service inet:127.0.0.1:60000
And remember to change default delay time from 300 to something higher, preferably random (but not higher than 1200-1500). This way if a mail server is unknown to your SMTP, it will have to wait a couple of minutes before trying to deliver a message again, thus relieving your spam filter and greatly reducing UBE.
I also suggest acquiring good blacklist of popular spammer CIDR classes, filter out incoming server SMTP traffic (not client) from ppp or dynamic domains. That should help also.
My first line of defense is my firewall, and I put it to good use since it provides the highest ROI and is exceedingly simple to implement. Since I do not wish to make my network accessible to the entire world, I unapologetically block most of it (your mileage may vary, obviously). Next, replace Sendmail with Postfix -- yet another high-ROI modification. Finally, I used Jim Seymore's Postfix Anti-UCE Cheatsheet (minus some RBL and other external UCE list sites) to choose what would work best for me. I can count on one hand the number of daily UCE attempts to my mail server, and, along with some of cop1152's suggestions (to which I would add no domain catch-alls), I average less than one successful delivery per month.
Dont let your email address get out there. Keep it off lists. Dont use it to sign up for ANYTHING, use a throw-away for that.
If you see a forwared that has a thousand addresses visible DO NOT PASS IT ALONG.
Dont try to unsubscribe from SPAM using the link provided in the email. These usually just verify your email you to a bot.
If you have placed a Craigslist ad and receive some spam because of it DO NOT REPLY TO IT. The spam is likely being re-mailed from the craigslist reply-to address. It will go away sooner or later.
If you are using Outlook, DO NOT OPEN spam email. Opening these emails can activate a unique link that will verify your address to a bot.
I make use of:
Example:
The
reject_non_fqdn_hostnameoption catches a lot of servers, but your mileage may very depending who you receive mail from.Use SPF, SpamAssassin, Razor, Pyzor, DCC, Graylist and use a setup like the other answer example:
Nice idea is to have two separate machines (physical or virtual) for incoming and internal/outgoing SMTP traffic. That way you can have more restrictions in place for outside messages, more strict spam/attachment control, and less restrictive rules for internal mail (for example you might consider larger message size on internal server).
Using greylisting (for example
postgrey) can be an excellent idea, if you don't want to use SpamAssassin. Just put it high onsmtpd_recipient_restrictionslist, like that:smtpd_recipient_restrictions = reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, # checks for known hostnames, addresses, clients check_policy_service inet:127.0.0.1:60000And remember to change default delay time from 300 to something higher, preferably random (but not higher than 1200-1500). This way if a mail server is unknown to your SMTP, it will have to wait a couple of minutes before trying to deliver a message again, thus relieving your spam filter and greatly reducing UBE.
I also suggest acquiring good blacklist of popular spammer CIDR classes, filter out incoming server SMTP traffic (not client) from ppp or dynamic domains. That should help also.
Check out http://www.gabacho-net.jp/en/anti-spam/anti-spam-system.html - its a set of regex block rules for Postfix that block a high-amount of dynamic IP addresses without catching too many legit servers.
I also run postgrey (http://postgrey.schweikert.ch/) which helps catch what the regex doesn't.
My first line of defense is my firewall, and I put it to good use since it provides the highest ROI and is exceedingly simple to implement. Since I do not wish to make my network accessible to the entire world, I unapologetically block most of it (your mileage may vary, obviously). Next, replace Sendmail with Postfix -- yet another high-ROI modification. Finally, I used Jim Seymore's Postfix Anti-UCE Cheatsheet (minus some RBL and other external UCE list sites) to choose what would work best for me. I can count on one hand the number of daily UCE attempts to my mail server, and, along with some of cop1152's suggestions (to which I would add no domain catch-alls), I average less than one successful delivery per month.
to PREVENT spam..
Dont let your email address get out there. Keep it off lists. Dont use it to sign up for ANYTHING, use a throw-away for that.
If you see a forwared that has a thousand addresses visible DO NOT PASS IT ALONG.
Dont try to unsubscribe from SPAM using the link provided in the email. These usually just verify your email you to a bot.
If you have placed a Craigslist ad and receive some spam because of it DO NOT REPLY TO IT. The spam is likely being re-mailed from the craigslist reply-to address. It will go away sooner or later.
If you are using Outlook, DO NOT OPEN spam email. Opening these emails can activate a unique link that will verify your address to a bot.